Chart of the Week

OCT 2023: VOLUME 1

Vulnerabilities by Dependency Level in Open-Source Projects

The Data

Based on Lineaje Labs research a staggering 77% of vulnerabilities in open-source reside within transitive dependencies (which your developers cannot patch). Open Source Projects pull in 20+ levels of dependencies. Along with those dependencies come their vulnerabilities. Lineaje AI labs analyzed 121,443 open source projects and discovered 118,573 vulnerabilities in them.

  • Fixable by your developers: 23% of vulnerabilities are in direct dependencies. These are patchable when fixes are available as independent patches, minor updates or major version upgrades.
  • Mostly not fixable by your developers: 77% of vulnerabilities are in transitive dependencies. Patching these is complicated. Less than 32% of all fixes available are in the form of independent patches. Even picking up independent patches for Transitive Dependency Level 2 and below can break your dependency and your application.

The Implication

  • A Paradigm Shift in Vulnerability Management: This statistic underscores the need for a paradigm shift in how we manage vulnerabilities. Developers and security teams must now broaden their scope beyond direct dependencies, conducting thorough evaluations of the entire software supply chain dependency tree.
  • Collaboration is Key: With the majority of vulnerabilities residing in transitive dependencies, fostering strong collaboration within the open-source community becomes paramount. Sharing knowledge, experiences, and best practices for managing dependencies will strengthen the collective effort to secure the open-source ecosystem.
  • Strategic Decision-making on Alternatives or “Inner Source”: In cases where transitive dependencies pose insurmountable risks, project stakeholders may need to consider alternatives. This could involve exploring different components or even opting for custom solutions by building components in-house (inner source).
  • Elevated Trust in Open-Source Software: By actively managing vulnerabilities in transitive dependencies, the open-source community can build and maintain trust with users. This transparency and dedication to security demonstrate a commitment to providing reliable and secure software solutions.
  • Beware App-sec tools pushing “quick vulnerability remediation”: Asking your developers to patch vulnerabilities in transitive dependencies is a risky, sub-optimal approach to vulnerability remediation.